batch-git-url-replace

Security checks across malware telemetry and agentic risk

Overview

This skill openly provides instructions to bulk update Git remote URLs and the main risk is accidental overbroad repository changes, not hidden or malicious behavior.

Use this only with a narrow scan directory, verify the old and new URL strings carefully, and consider backing up affected .git/config files or testing on a small folder first. After running it, check representative repositories with git remote -v before pushing code.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill provides recursive, bulk in-place modification of `.git/config` files across all repositories under a user-supplied directory, but it does not include safeguards such as dry-run output, scope confirmation, backup creation, or warnings about mass repository reconfiguration. This creates a real safety/security risk because an incorrect path or replacement value can silently repoint many repositories to unintended remotes, disrupting source integrity and potentially causing code to be pushed to the wrong server.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal